Episode 614 – Firewall evasion, SSH and virtual appliances!

Got a restrictive firewall blocking sites at school or work? Evade ‘em easily with your own private web proxy. Want to securely tunnel any port through an SSH session? Darren’s got just the trick. Wondering how to properly use Asleap to crack MS-CHAPv2 PPTP VPN handshakes & LM Hashes? Interested in trying out neat free enterprise applications but don’t feel like spending hours in a terminal? Try deploying a virtual appliance in minutes, the free and open source way.

SSH Tunneling isn’t new to the show, we’ve done it before over DNS or in conjunction with VNC. Today we’re looking at two SSH tricks for tunneling just about any traffic.

First up, ssh -D. The -D option specified a local &quote;Dynamic&quote; application-level port forwarding. Any connection made to the specified port goes through the tunnel as a SOCKS4 or SOCKS5 proxy. Perfect for secure web browsing as demonstrated with Firefox in this segment.

Usage

ssh -D 8080 user@server

Second, ssh -L. The -L option enables port forwarding. Using this option tells the SSH client to listen to traffic on a specified port and forward it along through the tunnel. The server receives this data and points it to the specified destination, whether it be on the destination network or otherwise. In our example we use the -L option to securely connect to an open IRC server.

The age old scheme for bypassing restrictive firewalls, like those that block sites at school or work, has been to use a web proxy. Of course this is followed up by the network administrator blocking all mainstream proxies. But what if you could run your own? Well, you can and it’s really freaking easy. In this segment Darren demonstrates PHProxy

Cracking MS-CHAPv2 PPTP VPN handshakes & LM Hashes Followup from 6×12

On episode 612 we demonstrated a tool, asleap, designed to crack MS-CHAPv2, the authentication protocol commonly found in Microsoft PPTP VPNs. The final demo was unsuccessful due to the encoding of the handshake and response sniffed by Wireshark. Viewer Sc00bz was kind enough to post a PHP script that accepts the challenge, response and username and provides you with the proper asleap command to run with the properly encoded byte sequences. Sc00bz has well documented the code, which lives now on this Hak5 forum thread. Thanks Sc00bz!

Deploying Virtual Appliances in minutes the open source way

A Virtual Appliance can be though of as a software image containing a supporting stack designed to run inside a virtual machine. A quick look at vmware’s virtual appliance directory shows that there are hundreds of applications that can be quickly and easily deployed. In this segment I take the Dimdim open source virtual appliance, designed for vmware, and deploy it with VirtualBox (just becasue I can).

41 Comments

The one thing about SSH tunneling is that not everyone has access their own VPS to SSH to and if you just want to tunnel occasionally it’s silly to pay for a whole VPS.

My advice: Amazon EC2. You can spin up a server when you need it and spin it down when you’re done. Only costs you $0.085 an hour. A very mall price to pay for privacy on the go, and much better bandwidth than hosting your own on a residential broadband account.

When you are not able to connect to port 22 because of firewall restrictions, instead of using this “phpbased proxy”, I recommend forwarding port 443 or port 80 on your VPS to port 22, so you can connect to ssh over an open port.

Personally I have my homeserver running ssh on port 443 at home, so that whereever I am, I can connect to it to tunnel my traffic or access my data.

Also I might mention that you can do IRC and your IP is protected along with the fact you have a little node in cyberspace that you can use for offsite backup and can connect from anywhere. I’m currently using it to watch hulu

Great episode, some really usefull tips, clean and simple! The episode with OpenVPN ALS was also very nice, using ssh shell for me is just simple enough and basically all I need

I don’t use Xchat, but doesn’t it support SOCKS ? Cause in that case you could just use the -D option. I know mIRC does, I’ve used that myself to tunnel my IRC, FTP and HTTP traffic through my box at home when I’m at school (wifi). A little side-note, I can highly recommend MyEnTunnel, http://nemesis2.qx.net/pages/MyEnTunnel , to establish and stay connected to your shell, if you wanna have a simple GUI.

Thank for a nice show! Long time watcher, been watching all your episodes since the very first one.

@Jakob yes you are right. What I’m saying is for all around functionality go with what I said. If you have a home server, etc. that type of thing then what you are saying works fine as a gui. So in essence what you are saying is 100% correct for what the app does.

Excellent show. I’ve noticed that they are getting more meaty which is what they should be for a tech channel. If we want to watch fluff, we’d watch the increasingly fluffy news shows, or the E! channel.

@Jakob – the best way to think of a virtual appliance is like a small precompiled operating system with the dependencies already installed for the specific program that you are trying to run.
for example.
if you have a web conferencing virtual appliance the web conferencing program might require perl or sql.
the virtual appliance has all that already installed. Sort of like a specified disk image for the use of one program.
Hope that helps

The proxy solution(and ssh tunneling) works only if the network admin allows all connections to go through the firewall and the router. I personally only allow our proxy server to go out, and other servers(like update servers, etc). All other machines are restricted inside, they can not even ping the gateway. So if the users change their proxy settings, they will not be able to surf.

I did the freebsdshell.com as recommended and it was perfect. and very easy too. I’m anonymous and have no problems getting past my work or the uni now. As were I couldn’t before. Thanks for the tip JC Denton

Hiya all installed the php proxy script and was able to acsess facebook and btinternet login page , but they would not allow me to log in face threw an error saying make sure your are loging from facebook and not another site i think this is the only draw back from the script or am I doin somthing wrong.

Been doing this ssh-fu for a while. In the days of dialup I would create a ssh tunnel (v2 with compression) over my slow dialup to a linux box I had at work. Then I would port forward 3128 from my local linux serv to 3128 on the remote serv which was running squid proxy. It gave me a little speed bump because of the compression plus cacheing.

Nice segment about proxies and ssh tunneling but this is kinda old news. Plus PHPproxy is the worst code out there IMHO. Use Zelune because you can actually cache the cookies needed for Flash video i.e. You Tube works in proxy. Example is my site http://www.blank1.info or no ad mode http://www.blank1.info/final... Look forward to watching rest of episode.

This is the punish Hak5 – Technolust since 2005 » Episode 614 – Firewall evasion, SSH and virtual appliances! blog for anyone who wants to assay out out virtually this message. You observation so untold its nigh exhausting to debate with you (not that I real would want…HaHa). You definitely put a new spin on a message thats been scripted active for years. City squeeze, just high!

Excellent post at Hak5 – Technolust since 2005 » Episode 614 – Firewall evasion, SSH and virtual appliances!. I was checking continuously this blog and I’m impressed! Extremely helpful information particularly the last part I care for such info much. I was looking for this certain info for a very long time. Thank you and best of luck.

Nice post at Hak5 – Technolust since 2005 » Episode 614 – Firewall evasion, SSH and virtual appliances!. I was checking continuously this blog and I’m impressed! Extremely useful information specifically the last part I care for such info much. I was looking for this particular information for a long time. Thank you and best of luck.